”It operates at a loss and its financial problems have carried on for a long time.“There is another important thing happening this Wednesday. For those who are interested, I’ll be doing a podcast with Jeff Waugh and Bruce Byfield (Roblimo as moderator). They are reaching out for questions from readers at the moment.

There are a couple more noteworthy items. As amusement for the day consider this new cartoon which portrays Steve Ballmer as the next Darl McBride. If you want to read my new article on interoperability, you can find it in Datamation. █

So, Microsoft refers to a report that just happens to be written by one of its employees, but without mentioning that fact.

This isn’t exactly new (Matt Asay pointed this out a couple of days ago), but it connects nicely to our observation that Microsoft uses its internal people and various hired ‘analysts’ to deceive the public. More on that in a moment, but first, here’s Asay’s take.

It’s a convenient fiction that buying everything from one vendor makes life easier. It may make installation and integration between programs easier, but that ease leads to single points of failure. Hijacking a browser is nice, but using the browser to dig deep into the OS, to have that hijacking facilitated by a too-close tie between the browser and the OS? Even better.

For reasons that were briefly mentioned a couple of days ago, Microsoft likes to hide its patches (or simply not patch at all) in order to keep up appearance. There are some recent examples of this, e.g.:

This is the first time I’ve seen Microsoft prominently admit to silently fixing vulnerabilities in its bulletins — a controversial practice that effectively reduces the number of publicly documented bug fixes (for those keeping count) and affects patch management/deployment decisions.

Forget for a moment whether Microsoft is throwing off patch counts that Microsoft brass use to compare its security record with those of its competitors. What do you think of Redmond’s silent patching practice?

When Didier Stevens recently took a closer look at some Internet Explorer malware that he had found, something surprised him somwehat. He discovered that the IE-targeted malware had been obfuscated with null-bytes (0×00) and when run against VirusTotal, he found that fewer than half of the products identified the sample as malware (15 of 32). When all null-bytes were removed, the chances of successful detection improved, though not as much as would normally be expected (25 of 32 detections).

Going further back you’ll find that IE7 has already been the victim of quite a lot of “critical” flaws (the highest level of severity, which compromises the operating system remotely, with or without user intervention). Examples include:

“This type of vulnerability has been very popular with malicious attacks in the past, and we expect to see its usage increase substantially, now that exploit code is publicly available,” security vendor Websense. warned in a note published Monday.

The vulnerability relates to the message IE displays when Web page loading is aborted, Raff wrote. An attacker can rig the message by creating a malicious link. The message will offer a link to retry loading the page; hitting it brings up the attacker’s page, but showing an arbitrary Web address, he wrote.

It’s bad enough when crooks exploit bugs to ruin a home computer, but the consequences of a successful attack can be much worse. A substitute teacher in Norwich, Connecticut, found that out when a computer she was using in her classroom suddenly started showing pornographic pop-up ads to everyone in the class. She now faces up to 40 years in prison after being convicted of willfully showing her students the images. A security expert hired by her defense, however, says he found malicious software on the PC.

Opinion: Microsoft used the January 2007 security update to induce users to try Internet Explorer 7.0 whether they wanted to or not. But after discovering they had been involuntarily upgraded to the new browser, they next found that application incompatibility effectively cut them off from the Internet.

“But browser testers may already be at risk, according to security researcher Tom Ferris. Late Tuesday, Ferris released details of a potential security flaw in IE 7. An attacker could exploit the flaw by crafting a special Web page that could be used to crash the browser or gain complete control of a vulnerable system, Ferris said in an advisory on his Web site. Microsoft had no immediate comment on Ferris’ alert.”

The flaw stems from error in the handling of redirections for URLs with the “mhtml:” URI handler. Security notification firm Secunia reports that the same bug was discovered six months ago in IE6 but remains unresolved.

First reported by Florida-based Sunbelt Software Tuesday, the bug has already been used to compromise PCs and load them with scores of adware and spyware programs, as well as other malicious code. Users surfing with IE 6 and earlier can be infected simply by viewing the wrong site.

This is the second unpatched flaw found in IE over the past week. On Sept. 14, researchers posted code that could be used to exploit a different vulnerability in a multimedia component of the Web browser. Microsoft is still investigating that flaw and is not saying whether it too will be patched next month.

In the SmartWare test, Microsoft’s Internet Explorer 7 blocked 690 known phishing sites, or 66.35 percent of the total. In contrast, Firefox blocked 78.85 percent when using a local antiphishing database and 81.54 percent when using the online database.

How much longer? “In the last reporting period, the second half of last year, Microsoft had acknowledged 13 vulnerabilities. We’ve now revised it to 31. The difference is that now Microsoft has acknowledged these vulnerabilities.”

[...]

“Mozilla can turn around on a dime,” Levy said. “Open-source programmers can recognize a problem and patch it in days or weeks.”

And as for Microsoft?

“If a vulnerability is reported to Microsoft, Microsoft doesn’t acknowledge it for at least a month or two. There’s always a certain lag between knowing about a bug and acknowledging it,” Levy said.

Other recent articles state that Firefox may have its weak points, but often they are the result of attempts to mimic IE functionality on Windows, which means that the fragile layer is the operating system, not just the Web browser. On operating systems security, consider the following articles from the past year:

The great value of GNU/Linux is something that Microsoft itself cannot deny. In fact, it wasn’t long ago that it was ‘caught’ praising it. Microsoft’s campus is full of Linux devices that the company is happy with.

What the press statement didn’t mention is that Aruba mobility controllers run the Linux operating system which Microsoft has aggressively targeted as being inferior to Windows as part of its “Get the Facts” marketing campaign.

[...]

Pandey’s appraisal of Aruba’s technology is in stark contrast to Microsoft’s “Get the Facts” rhetoric which places Windows as a more secure, and higher-performing choice over Linux.

This month’s announcement by Microsoft to acquire digital marketing services firm aQuantive has revealed little on how the companies will integrate their IT, but inside information indicates the deal may be Redmond’s largest commitment to free software.

[...]

Whether the businesses are complementary or not, Microsoft’s integration work will no doubt involve a lot of open source software used by aQuantive.

Information available from Atlas’ Web site indicates the Internet software company employs extensive use of open source software including Linux, Apache, MySQL, and Solaris.

Software engineers at Atlas’ Raleigh office do client/server development in C and C++, software maintenance and “scripting”, and developing and maintaining custom reporting capabilities.

Remember Hotmail, which ran a BSD for several years after Microsoft had acquired it? There are many more examples, but they would make this post extremely long.

”While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted.“As promised, returning to the original point of this post, Microsoft can deny the truth all it wants, but we ought to judge things for ourselves. While Microsoft controls the media, buys the media, and even buys voices on the Internet, nobody can be trusted. The antitrust exhibit known as “Effective Evangelism”[PDF] shows that Microsoft has for a long time intended to hire analyst whose output only appears to be independent. One need only look a month back for a live demonstration.

Going a year into the past, Redmond Kool-Aid seems likely to have played a role in another story which turned out to be an anti-Firefox lie. It did a lot of damage even after it was called a lie, by admission of the claim’s own so-called ‘hacker’. More information here.

Lately, I read the headline: “Open Source browser Firefox is so critically flawed that it is impossible to fix, according to two hackers.” Further on, in the ZDNet article I read: “The hackers claim they know of about 30 unpatched Firefox flaws. They don’t plan to disclose them, instead holding onto the bugs.”

Since that sounds suspicious, I decided to start searching for connections with MS. Easy enough, here it is…

So, as you can see, the anti-Mozilla Firefox crusade has roots in the past. It remains to be seen how the media will respond to Microsoft’s latest attempt to spread Firefox FUD. █

Update: A Mozilla senior, who is also a former Microsoft employee, spills the beans on Microsoft and reveals more information about the deception mentioned above.

This is a small subset of all the vulnerabilities, because the vulnerabilities that are found through the QA process and the vulnerabilities that are found by the security folks they engage as contractors to perform penetration testing are fixed in service packs and major updates. For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update.

A couple of weeks ago we wrote about irregularities in Portugal where Microsoft’s latest ‘felony’ was having a fox watch the henhouse. Analogies aside, Microsoft does everything it can to ensure that its own people are those who vote on its own specification (ECMA standard). There is a long track record of this and as disturbing as it is, rarely does anyone seem to intervene and put an end to it.

There are rumors circulating in Ireland that Microsoft’s Stephen McGibbon might be part of the Irish delegation to attend the BRM in Geneva. Microsoft is already controlling the Portuguese delegation, you can expect that they will control half of the table at Geneva. O’MyGod!

In other OOXML news, Andy Updegrove makes progress on his eBook which covers the confrontation involving OOXML and ODF. Here is a fragment of text.

Microsoft came late in the game to the server marketplace, but unlike some markets it tried to penetrate with limited success, the competitive landscape for servers was very different. This was because most Microsoft’s PC customers also used servers, and these customers could gain technical advantages by buying products from the same vendor that would need to work together. They could also expect favorable bundled pricing as well, and that pricing could be very attractive indeed as Microsoft first entered the market for server operating system software. In addition, the dominant operating system in the server marketplace, called UNIX, was already losing ground to new competing products.

Still, fourteen years after introducing its first version of Windows usable on servers, Microsoft has today not a 90% market share, but a rising [42%] position, sharing the server niche with declining sales of UNIX systems, which continue to be offered in various proprietary flavors by vendors such as IBM, Sun Microsystems and Hewlett-Packard, and also with an “open source” operating system called Linux, which is dominant in applications such as Web hosting, and enjoys a roughly equal market share with Microsoft overall.

A long post from the weekend covers plenty of those manipulation games as well. This is just a recurring, ever-lasting pattern, and it is unlikely to end until people stand up and demand change. █

Sadly enough, the ISO continuestofail. The lack of transparency in the ISO not only gave birth to OpenISO, but it also led to loss of trust, many misdeeds, and great anger. Microsoft totally controls the ISO (the image on the left says it all). At this point at time, it is important to track and document all the oddities in the process. Only then, can the ISO return to its senses and regain credibility. Until it does, it will be possible for corporations to merely buy a standard rather than earn one.

1. OASIS ODF TC mailing list archives are public for anyone to read
2. OASIS ODF TC public comment list archives are public for anyone to read
3. OASIS ODC meeting minutes, for every one of our weekly teleconferences going back to 2002, are all public for anyone to read.
4. The results of ODF’s ballot in ISO are public, including all of the NB comments
5. The comments on ODF from SC34 members are also public
6. The ISO Disposition of Comments report for ODF is also public for anyone to read

[...]

But what about the OOXML process? Every single one of the above items is unavailable to the public, and in many cases cases is not available even to the JTC1 NB’s who are deciding OOXML’s fate.

On a related note, it is now being reported that the obscurity of the DIS 29500 standardisation process has its reasons.

Charles makes some good points why ECMA refuses to help the national Committees to resolve all comments.

The first release candidate of Linux Caixa Mágica 12, a Portuguese Linux distribution, is now available for download and testing. The most interesting change is the fact that this release is no longer based on openSUSE, as was the case with the project’s all previous releases, but on Mandriva Linux 2008.

In our little just-for-fun comparison, we the judges find that Mandriva wins by 4 categories to 2. But to the original question the answer would be to go buy the Mandriva Power Pack or try PCLOS or ALT Linux in which advanced power saving feature do work out of the box. Also, YMMV.

It would be interesting to know what made Caixa Mágica developers change their minds. █

Popfly was introduced several months ago by Microsoft. It was not too clear at the time how Linux users would be treated. The following new article sheds some light on this issue:

However, the Silverlight platform — and Popfly — does have one flaw, which is no Linux support. Even Adobe releases its current builds of the Flash runtime to Linux users. Whether Microsoft likes it or not, Linux is here to stay and is a growing force on the desktop thanks to universal-audience distributions such as Ubuntu.

Moonlight will potentially give some Web developers the impression that Silverlight does not harm Linux users. It might be another case where Microsoft has developers carrying water for it by ‘punishing’ Linux users.

A Microsoft Corp. technical evangelist referred to independent software developers writing for Windows and the company’s other software platforms as “pawns” and compared wooing them to convincing someone to have a one-night stand, according to testimony presented Friday against Microsoft in an ongoing antitrust case in Iowa.

23 Q. Okay. Apparently, Mr. Plamondon says there are very valuable pawns in the struggle, however.

——-

18 Q. Okay. He then goes on to say, I have decided that we should not publish these extensions.

24 Q. Okay. And what’s the effect of not documenting those extensions?

1 A. They won’t be available.

The take-away message is that Microsoft will continue to use third-party developers (a derogatory term in its own right) to do its dirty work. Silverlight is one tool that achieves exclusions when used by an army of developers. █